diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 92e943d4a0..7fb557b7c9 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -483,10 +483,6 @@ gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackSize|0x4000 !endif -!if $(SECURE_BOOT_ENABLE) == TRUE - gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 -!endif - # IRQs 5, 9, 10, 11 are level-triggered gPcAtChipsetPkgTokenSpaceGuid.Pcd8259LegacyModeEdgeLevel|0x0E20 @@ -544,6 +540,11 @@ gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000 !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 +!endif + + ################################################################################ # # Components Section - list of all EDK II Modules needed by this Platform. diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index 7f9220ccb9..4bcbddb957 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -489,10 +489,6 @@ gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackSize|0x4000 !endif -!if $(SECURE_BOOT_ENABLE) == TRUE - gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 -!endif - # IRQs 5, 9, 10, 11 are level-triggered gPcAtChipsetPkgTokenSpaceGuid.Pcd8259LegacyModeEdgeLevel|0x0E20 @@ -552,6 +548,11 @@ gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000 !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 +!endif + + ################################################################################ # # Components Section - list of all EDK II Modules needed by this Platform. diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 36c60fc19c..e52a3bd4db 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -488,10 +488,6 @@ gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackSize|0x4000 !endif -!if $(SECURE_BOOT_ENABLE) == TRUE - gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 -!endif - # IRQs 5, 9, 10, 11 are level-triggered gPcAtChipsetPkgTokenSpaceGuid.Pcd8259LegacyModeEdgeLevel|0x0E20 @@ -551,6 +547,11 @@ gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000 !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 +!endif + + ################################################################################ # # Components Section - list of all EDK II Modules needed by this Platform. diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index 26f7c3fdbb..1539e5b5cd 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -59,4 +59,11 @@ AmdSevInitialize ( ASSERT_RETURN_ERROR (PcdStatus); DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask)); + + // + // Set Pcd to Deny the execution of option ROM when security + // violation. + // + PcdStatus = PcdSet32S (PcdOptionRomImageVerificationPolicy, 0x4); + ASSERT_RETURN_ERROR (PcdStatus); } diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf index 16a8db7b0b..de7434d93d 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -41,6 +41,7 @@ IntelFrameworkModulePkg/IntelFrameworkModulePkg.dec MdePkg/MdePkg.dec MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec UefiCpuPkg/UefiCpuPkg.dec OvmfPkg/OvmfPkg.dec @@ -96,6 +97,7 @@ gEfiMdeModulePkgTokenSpaceGuid.PcdPropertiesTableEnable gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy gUefiCpuPkgTokenSpaceGuid.PcdCpuLocalApicBaseAddress gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds